How to Enroll macOS Devices in Microsoft Intune

Microsoft Intune provides robust management capabilities for macOS devices, enabling organizations to secure and configure Macs alongside Windows devices from a single console. This guide walks through the various enrollment methods available for macOS, helping you choose the right approach for your organization.

Overview

macOS enrollment in Intune offers three primary methods, each designed for different ownership and management scenarios:

Enrollment Method	Best For	Management Level	User Privacy	Prerequisites
Automated Device Enrollment (ADE)	Corporate-owned, new devices	Full device management	Low	Apple Business Manager
Device Enrollment	Corporate-owned, existing devices	Full device management	Low	Company Portal app
User Enrollment	BYOD, personal devices	Managed partition only	High	Company Portal app

Prerequisites

Before enrolling macOS devices, ensure you have the following:

Licensing Requirements:

• Microsoft Intune license (standalone or included with Microsoft 365 E3/E5, Business Premium)
• Azure AD Premium P1 for Conditional Access features

Apple Requirements:

• Apple Business Manager account (required for ADE, recommended for all)
• Apple MDM Push certificate configured in Intune
• macOS 12 (Monterey) or later

Administrative Access:

• Global Administrator or Intune Administrator role
• Access to Microsoft Intune admin center (intune.microsoft.com)
• Apple Business Manager administrator access (for ADE)

Recommended Preparation:

• Configure Apple MDM Push certificate
• Set up Apple Business Manager integration
• Create device compliance policies for macOS
• Prepare configuration profiles

Step 1: Configure Apple MDM Push Certificate

The Apple MDM Push certificate enables communication between Intune and macOS devices. This is required for all enrollment methods.

Create and Upload the Certificate

1. Sign in to the Microsoft Intune admin center: https://intune.microsoft.com

2. Navigate to Devices > Enrollment > Apple > Apple MDM Push Certificate

3. Select I agree to grant Microsoft permission to send data to Apple

4. Click Download your CSR to download the certificate signing request

   • Save the file (IntuneCSR.csr) to a known location

5. Click Create your MDM push Certificate to open the Apple Push Certificates Portal

6. Sign in with your Apple ID (use a corporate Apple ID, not personal)

   • This Apple ID will be needed for annual certificate renewal

7. Click Create a Certificate

8. Accept the Terms of Use

9. Click Choose File and select the CSR file downloaded from Intune

10. Click Upload

11. Click Download to save the certificate file (.pem)

12. Return to the Intune admin center

13. Enter the Apple ID used to create the certificate

14. Click Browse and select the downloaded .pem certificate file

15. Click Upload

Certificate Renewal Reminder

The Apple MDM Push certificate expires annually. Set a calendar reminder for renewal:

• Certificate expiration appears in Intune under Apple MDM Push Certificate
• Renew the certificate before expiration to avoid re-enrollment of all devices
• Use the same Apple ID for renewal to maintain device management

Step 2: Configure Apple Business Manager Integration (Recommended)

Apple Business Manager (ABM) enables Automated Device Enrollment and provides additional management capabilities.

Link Apple Business Manager to Intune

1. Sign in to Apple Business Manager: https://business.apple.com

2. Navigate to Settings > Device Management Settings

3. Click Add MDM Server

4. Enter a name for the server (e.g., "Microsoft Intune")

5. Check Allow this MDM server to release devices if desired

6. Click Save

7. Click Download Token to download the server token file

8. Return to the Intune admin center

9. Navigate to Devices > Enrollment > Apple > Enrollment program tokens

10. Click Add

11. Grant permission to Apple

12. Click Browse and select the token file downloaded from ABM

13. Click Add

Assign Devices to Intune in ABM

1. In Apple Business Manager, go to Devices

2. Select the devices you want to manage with Intune

3. Click Edit MDM Server

4. Select your Intune MDM server

5. Click Continue to assign devices

Devices will sync to Intune within minutes. Verify in Intune under Devices > Apple > iOS/iPadOS enrollment > Enrollment program tokens > [Your token] > Devices.

Method 1: Automated Device Enrollment (ADE)

Automated Device Enrollment provides the best experience for corporate-owned devices, enabling zero-touch deployment and supervision.

Step 1: Create an Enrollment Profile

1. In the Intune admin center, navigate to Devices > macOS > macOS enrollment

2. Select Enrollment program tokens

3. Click on your Apple Business Manager token

4. Select Profiles > Create profile > macOS

5. Enter a Name for the profile (e.g., "macOS Corporate Enrollment")

6. Enter a Description (optional)

Step 2: Configure Device Management Settings

Configure the following settings:

User Affinity:

• Enroll with User Affinity: Yes (associates device with a user, recommended for personal-use devices)
• Enroll without User Affinity: No (for shared or kiosk devices)

Authentication Method:

• Select Company Portal for modern authentication
• Or select Setup Assistant (legacy) for basic authentication

Locked enrollment: Yes (prevents users from removing management profile)

Await final configuration: Yes (recommended - holds device at Setup Assistant until all profiles are installed)

Step 3: Configure Setup Assistant Settings

Customize the out-of-box experience by showing or hiding Setup Assistant screens:

Setting	Recommendation	Description
Department	Show	Displays organization name
Device Name	Hide	Uses naming template instead
Appearance	Hide	Skip light/dark mode selection
Apple ID	Show	Allow users to sign in with personal Apple ID
Privacy	Show	Displays privacy information
Restore	Hide	Prevents restoring from personal backup
Screen Time	Hide	Skip Screen Time setup
FileVault	Show	Enable disk encryption setup
iCloud Diagnostics	Hide	Skip diagnostic consent
Registration	Hide	Skip Apple registration
Accessibility	Show	Allow accessibility configuration
Siri	Hide	Skip Siri setup
Touch ID	Show	Allow biometric setup
Passcode	Show	Require device passcode setup

Step 4: Assign Profile to Devices

1. Click Next to continue

2. Under Assignments, click Add groups or Add all devices

3. Select the device groups to target (or leave as All devices)

4. Click Next

5. Review settings and click Create

Step 5: Deploy Devices

1. Ship devices to users or configure in IT department

2. When the user turns on the Mac, it will:

   • Connect to the internet
   • Download the enrollment profile from Apple
   • Display the customized Setup Assistant
   • Prompt for Azure AD credentials
   • Enroll in Intune
   • Apply assigned policies and configurations

3. The Company Portal app will automatically install if configured

Step 6: Verify Enrollment

1. In Intune admin center, go to Devices > macOS > macOS devices

2. Locate the enrolled device

3. Verify:

   • Enrollment type: Automated device enrollment
   • Management state: Managed
   • Compliance status: Compliant (after policies apply)

Method 2: Device Enrollment (Company Portal)

Device Enrollment allows users to enroll existing corporate-owned or dedicated macOS devices through the Company Portal app.

Step 1: Configure Enrollment Restrictions

1. Navigate to Devices > Enrollment > Enrollment device platform restrictions

2. Click on macOS restrictions or create a new restriction

3. Configure:

   • Platform settings: Allow macOS enrollment
   • Personally owned: Block (if only corporate devices should enroll)
   • Minimum/Maximum OS version: Set version requirements

4. Assign to appropriate groups

Step 2: Install Company Portal on the Mac

Users can install Company Portal through multiple methods:

Option A: Direct Download

1. Open Safari on the Mac
2. Navigate to: https://go.microsoft.com/fwlink/?linkid=853070
3. Download the Company Portal installer (.pkg)
4. Double-click to install

Option B: App Store (if available)

1. Open the App Store
2. Search for "Intune Company Portal"
3. Click Get to install

Step 3: Enroll the Device

1. Open the Company Portal app

2. Click Sign in and enter Azure AD credentials

3. Complete multi-factor authentication if prompted

4. Review the information about device enrollment

5. Click Begin to start enrollment

6. The enrollment process will:

   • Download the management profile
   • Prompt to allow installation of the profile
   • Request administrator credentials for profile installation

7. When prompted, enter the Mac administrator password to authorize profile installation

8. Click Allow in System Settings when prompted to approve the MDM profile

Step 4: Approve MDM Profile in System Settings

macOS requires manual approval of MDM profiles:

1. A notification appears: "Profile installation required"

2. Open System Settings > Privacy & Security

3. Scroll down to Profiles (or Profiles & Device Management on older macOS)

4. Click on the Management Profile

5. Click Approve or Install

6. Enter administrator credentials if prompted

7. Return to Company Portal to verify enrollment completion

Step 5: Verify Device Enrollment

1. In the Company Portal app, the device should show as "Enrolled"

2. Check Device Details to see compliance status

3. In Intune admin center, verify the device appears under Devices > macOS > macOS devices

Method 3: User Enrollment (BYOD)

User Enrollment provides a privacy-focused enrollment method for personal devices, managing only corporate data without accessing personal information.

Step 1: Enable User Enrollment

1. Navigate to Devices > Enrollment > Apple > Apple enrollment types

2. Click Edit or create a new enrollment type profile

3. Configure:

   • Name: macOS User Enrollment
   • Enrollment type: User enrollment with Company Portal
   • Targeted users: Select groups for BYOD users

4. Click Save

Step 2: User Enrollment Process

Users complete enrollment through Company Portal:

1. Install the Company Portal app

2. Sign in with Azure AD credentials

3. Select User enrollment when presented with enrollment options

4. Review privacy information (shows what IT can and cannot see)

5. Proceed with enrollment

6. macOS creates a separate managed APFS volume for corporate data

7. The MDM profile manages only the corporate partition

Step 3: Understand User Enrollment Limitations

User Enrollment has reduced management capabilities compared to Device Enrollment:

Capability	Device Enrollment	User Enrollment
Remote wipe	Full device	Corporate data only
Passcode enforcement	Yes	Yes
Wi-Fi profiles	Yes	Yes
VPN profiles	Yes	Yes
Certificate deployment	Yes	Yes
App deployment	Yes	Yes (to managed partition)
Device restrictions	Yes	Limited
FileVault management	Yes	No
Kernel extension management	Yes	No
System extension management	Yes	No

User Privacy in User Enrollment

IT administrators cannot see or access:

• Personal apps and app usage
• Personal browsing history
• Personal email, text messages, or phone calls
• Personal photos, videos, or files
• Device location (unless enabled by user)
• Device name (shows managed Apple ID instead)

Post-Enrollment Configuration

Deploy Configuration Profiles

After enrollment, deploy essential configuration profiles:

Security Settings:

1. Navigate to Devices > macOS > Configuration profiles
2. Create profiles for:
   • FileVault encryption (Device Enrollment only)
   • Firewall settings
   • Password requirements
   • Privacy preferences policy control

Productivity Settings:

• Wi-Fi network configurations
• VPN settings
• Email account settings
• Certificate deployment

Deploy Applications

1. Navigate to Apps > macOS

2. Click Add and select app type:

   • macOS app (DMG): For .dmg installer files
   • macOS app (PKG): For .pkg installer files
   • Microsoft 365 Apps: Office suite
   • macOS LOB app: Line-of-business apps

3. Configure app assignment to enrolled devices

Configure Compliance Policies

1. Navigate to Devices > Compliance > Policies

2. Click Create policy > macOS

3. Configure compliance settings:

   • OS version: Minimum and maximum
   • Password requirements: Complexity, length
   • Encryption: Require FileVault
   • System Integrity Protection: Required

4. Assign to device groups

Troubleshooting

Company Portal Won't Install Profile

Symptoms: Profile download succeeds but installation fails.

Solutions:

1. Verify the user has administrator privileges on the Mac
2. Check that System Integrity Protection (SIP) is enabled
3. Open System Settings > Privacy & Security > Profiles to manually install
4. Restart the Mac and try again
5. Check for pending macOS updates and install them

Device Not Syncing with Intune

Symptoms: Device shows "Last check-in" with old date/time.

Solutions:

1. Open Company Portal > Preferences > Sync
2. Verify internet connectivity
3. Check that the MDM profile is still installed:
   • System Settings > Privacy & Security > Profiles
4. Review Console app for MDM-related errors:
   • Filter by "mdmclient" process

Automated Enrollment Not Starting

Symptoms: Device goes to normal Setup Assistant instead of organization enrollment.

Solutions:

1. Verify device is assigned to Intune in Apple Business Manager
2. Check that enrollment profile is assigned to the device group
3. Factory reset the device and restart enrollment
4. Verify network connectivity during initial setup
5. Check serial number matches between ABM and physical device

FileVault Recovery Key Not Escrowed

Symptoms: FileVault is enabled but recovery key not in Intune.

Solutions:

1. Verify FileVault profile is deployed with recovery key escrow
2. The key escrows on next user login after FileVault enablement
3. Check that device was enrolled before FileVault was enabled
4. For personal recovery key issues:

   sudo fdesetup changerecovery -personal
   

   Copy

Common Error Messages

Error	Cause	Solution
"Device not supervised"	Feature requires ADE enrollment	Re-enroll via ADE for full management
"Profile installation failed"	User not administrator	Grant admin rights or assist with installation
"MDM enrollment failed"	Certificate issue	Verify Apple MDM Push certificate is valid
"User not authorized"	Enrollment restrictions	Check user group membership and restrictions

Best Practices

Enrollment Recommendations

1. Use ADE for corporate devices: Provides the strongest management and best user experience
2. Use User Enrollment for BYOD: Respects user privacy while protecting corporate data
3. Configure Setup Assistant carefully: Only show necessary screens to streamline enrollment
4. Enable locked enrollment: Prevent users from removing management from corporate devices
5. Test profiles with pilot group: Validate configurations before broad deployment

Security Recommendations

1. Require FileVault encryption: Protect data on all enrolled devices
2. Configure Conditional Access: Require device compliance for Microsoft 365 access
3. Enable Gatekeeper: Only allow apps from identified developers
4. Configure System Integrity Protection: Never disable SIP
5. Deploy managed Apple IDs: For corporate app purchases through ABM

Management Tips

1. Use Smart Groups: Create dynamic groups based on device properties
2. Monitor compliance: Set up alerts for non-compliant devices
3. Plan for OS updates: Test new macOS versions before deploying update policies
4. Document your configuration: Keep records of profiles and policies
5. Regular audits: Review enrolled devices and remove stale entries

Next Steps

After successfully enrolling macOS devices:

1. Deploy essential applications: Microsoft 365, company apps
2. Configure security baselines: Implement organization security standards
3. Set up Conditional Access: Require compliant devices for resource access
4. Enable endpoint security: Configure Microsoft Defender for macOS
5. Monitor device health: Use Intune reports and dashboards

Additional Resources

• Microsoft Intune macOS Enrollment Documentation
• Apple Business Manager Documentation
• macOS Platform Guide for MDM

---

Need help with your macOS Intune deployment? InventiveHQ offers comprehensive Apple device management services, from Apple Business Manager setup to ongoing Intune management. Contact us for a free consultation.